Hey all
We are in the process of implementing Alert Logic in our environment. This particular portion of the environment is behind a load balancer and firewall. In order for Alert Logic to be able to read the traffic behind the load balancer, we needed to disable Diffie-Hellman (DHE) and elliptical curve Diffie-Hellman key exchanges.
So, I did this any I am able to indeed verify that applications hosted on that server on IIS are not using DHE/ECDH.
I ran into a problem however when I am making outbound HTTPS calls from Epicor server-side functions (hosted on that server) to the internet, and I’m getting a generic handshake SSL/TLS error.
When I re-enable DHE/ECDHE, the errors go away and I can call outbound HTTPS connections to my hearts content.
This is a layered problem in that we believe the load balancer still has DHE turned on, but you’d think it would be able to negotiate downward.
All that is to say; can IIS handle inbound traffic without DHE and outbound traffic with DHE, or is it all the same since it’s at the OS level?
The only other variable was I also added a couple of parameters to the registry at local machine>>CurrentControlSet>Services>HTTP>Parameters because I was getting Chrome issues accessing hosted application on Chrome.
Just to wrap the conversation up; IIS is a little different than other web servers in that the ciphers affect and are bound at the operating system level, so there is no way to define inbound and outbound.
We made the change at the load balancer level for client facing ciphers to be different than server facing ones instead .
